This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Crooks Turn to Delivering Ransomware via RDP

In a new twist to an old attack, threats actors are increasingly using the remote access protocol to install ransomware, Sophos says

In a new twist to an old attack technique, some threat actors have begun installing ransomware on Windows networks by breaking into them via weakly protected Microsoft Remote Desktop Protocol (RDP) services.

Security vendor Sophos says it has seen a spate of such attacks recently with the victims in most cases being small companies with 30 or fewer staff members that rely on external parties to manage their Windows networks remotely.

Unlike typical ransomware campaigns in which the malware is mass distributed via phishing and other means, the crooks in these attacks are breaking into Windows systems one at a time and running ransomware on them manually using RDP access.

The trend highlights the need for organizations to ensure that RDP is turned off on all computers on the network on which it is not needed, to use VPNs for external connections and to implement strong authentication where possible, Sophos said.

"For a small business, RDP is often the only way to get IT support at all," says Paul Ducklin, senior technologist at Sophos. It allows a third party located across town, in another state, or overseas to remotely access a Windows network and administer it with nearly same level of control over it as a local user. RDP can be handy, but if the service is left open to the Internet as businesses sometimes do, attackers can try and brute force their way into your network, Ducklin says.

"When an [RDP] server is open to the Internet, it means that you'll accept incoming connections from anywhere, including users on computers in other companies, other cities, other states, other countries," Ducklin says. "Loosely speaking, any computer, or mobile device, that can send packets outwards on the Internet can connect inward to your server and get a response of some sort."

Recently, Sophos has seen evidence that attackers have begun using scanning services such as Shodan and Censys to search for systems with RDP open to the Internet. They have then been using the NLBrute tool to try and guess RDP passwords and brute force their way into such systems.

"Many small businesses have a dedicated computer to handle RDP connections, or will just let RDP users connect directly to the main server," Ducklin says. "Shodan is looking for open ports visible somewhere, anywhere, that lead to RDP somewhere inside the network."

Attacks against RDP are certainly not new. The difference is that attackers increasingly have begun using their RDP access to then install ransomware on systems. In several of the cases that Sophos has investigated, attackers have first initiated a series of measures to disable and disarm security settings on the network to which they have gained access, before running ransomware on them.

Some of the measures have included killing off processes that disallow shutdown, deleting locked files, changing configuration settings, disabling anti-malware tools, turning off database services, and deleting backup files. Because the systems have been rigged to become as insecure as possible, the threat actors are then able to run old and even free variants of ransomware on them until something works. "In several cases, we've found cryptocurrency mining software that had been around for a while," Ducklin says.

Gartner analyst Avivah Litan says hackers have been using NLBrute for years to brute force their way into systems via RDP. In fact there are even YouTube videos on how to use the tool, she says.

However, the increase in RDP attacks to drop ransomware is a new twist, Litan says. "It reminds me of what happened with online banking attacks," she notes. "As banks implemented more controls that prevented fully automated and mass attacks, criminals started using RDP to manually attack one user at a time."

Attacks via RDP are big threats to organizations, Litan cautions. Endpoint security controls are not very effective at dealing with these attacks because the tools are typically looking for malicious files and fully automated attacks, rather than human-executed manual attacks, she says.

Organizations that want to enable RDP should first ask themselves if they require that access, adds Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "Enabling RDP access to a Windows computer is no different than providing SSH access to a Linux server, so there's definitely justification for doing it and businesses with a need should not be afraid to run RDP."

But it is important to ensure strong passwords and two-factor authentication at a minimum when enabling the service, Reguly says. If possible, require a VPN connection to access the service and avoid direct Internet access.

Also, set a lockout policy to limit password-guessing attacks, Ducklin says. Simply by enforcing a five-minute lockout after three failed guesses you can ensure that crooks can at most try 48 passwords an hour, making a brute force attack impractical, he says.

The Sophos warning is the second in recent weeks involving RDP. In October, Flashpoint warned about Dark Web marketplaces selling access to tens of thousands of brute-forced RDPs around the world. Ultimate Anonymity Services, one of the outfits selling such access, alone had over 35,000 brute-forced RDPs for sale, Forcepoint noted in its report.

Threat actors can use such compromised RDP servers for a variety of reasons in addition to installing ransomware on systems, says Flashpoint cybercrime analyst Olivia Rowley.

"For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase," Rowley says. "Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches."

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .